Re: TLS w/LDAP

[Crypto Sal]

On 05/30/2009 12:52 AM, John Kane wrote:
Thanks for the response, Kyle.
I've pretty much deduced what the error is, but just cannot figure out where it is coming 
from.  It only happens when I turn on TLS for LDAP.  There are really no 'variables' 
defined in the LDAP configs; nothing using the '[ "$blah" = blahblah ] 
syntax....that is why I turned to this list hoping to find what other file (non-ldap) 
might be read ONLY when I had the 'ssl start_tls' set in my ldap config.

John


   
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Kyle Hamilton
Sent: Friday, May 29, 2009 10:19 PM
To: openssl-users@openssl.org
Subject: Re: TLS w/LDAP

That's an error in the script you're launching at startup.  I don't
know what it is, but I'd bet there's an unquoted '[' character
somewhere that is only evaluated when TLS LDAP is enabled.  (see the
'-bash: ' at the beginning of the line?  That tells you that bash is
generating the error message.)

-Kyle H

On Fri, May 29, 2009 at 1:34 PM, John Kane
<john.k...@prodeasystems.com>  wrote:
     
I just turned on TLS on my LDAP (per instructions on
http://www.openldap.org/faq/data/cache/185.html).  Now all of my
       
Linux
     
servers give the following error on login:

-bash: [: =: unary operator expected

The error goes away when I turn TLS back off.  I cannot determine
       
what
     
is causing this error, or even which file contains the error.  I've
       
gone
     
through my LDAP config file, cannot find an issue in any of these.

Other than my cacert.pem, and the LDAP config files, are there other
files that are read only when TLS is turned on?

Thanks,
John

++++ Here's my configs ++++

I turn on TLS by adding the following in my /etc/ldap.conf (pam/nss
file):

        ssl start_tls
        tls_checkpeer yes
        tls_cacertfile /etc/openldap/cacerts/cacert.pem
        tls_cacertdir /etc/openldap/cacerts/


and have the following in my /etc/openldap/ldap.conf (openldap file):

        HOST 172.25.3.97
        BASE dc=example,dc=net
        TLS_CACERTDIR /etc/openldap/cacerts/
        TLS_REQCERT allow

and my (self-signed) cacert:<snip>
       




John,

I feel that having the TLS_CACERTFILE and TLS_CACERTDIR both defined is 
causing a problem. I suggest sticking with the TLS_CACERTFILE and 
comment out the the other. On the OpenLDAP side[(openldap file)] ... 
make it TLS_CACERT and reference the cacert.pem file instead of using 
the TLS_CACERTDIR directive.

Hope this helps,

---Sal


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org